Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
25-06-2024 21:27
Static task
static1
Behavioral task
behavioral1
Sample
0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe
Resource
win7-20231129-en
General
-
Target
0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe
-
Size
622KB
-
MD5
0f96b0622e13675b9579d7e5cd12d4fc
-
SHA1
72f8b00e117ac4583b35e4cedeb36e995e98aa80
-
SHA256
ea7d0561a0d804309f42c23761caddf11eed8f97f0bc96a1647a2f344ae5da50
-
SHA512
460e3d57809c04d7165de9184fab41541c1807f46389d50593669c9dfda3b56c729f7481600e63b88909a3258ec3c7c36900add58789f719033ea1a45a51ccba
-
SSDEEP
12288:QMsVpt4raifZzpwX4GPNNNbKQyXcqzEBwIx3cLBiCz43uzdU2YHD:QXVQrVZz5GIQqgjx3xkUDj
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
Processes:
0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe -
Processes:
0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe -
Processes:
0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe -
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
Processes:
update.exepid process 2968 update.exe -
Loads dropped DLL 6 IoCs
Processes:
0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exeupdate.exepid process 2548 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe 2548 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe 2968 update.exe 2968 update.exe 2968 update.exe 2968 update.exe -
Processes:
resource yara_rule behavioral1/memory/2548-1-0x00000000024B0000-0x000000000353E000-memory.dmp upx behavioral1/memory/2548-9-0x00000000024B0000-0x000000000353E000-memory.dmp upx behavioral1/memory/2548-8-0x00000000024B0000-0x000000000353E000-memory.dmp upx behavioral1/memory/2548-7-0x00000000024B0000-0x000000000353E000-memory.dmp upx behavioral1/memory/2548-6-0x00000000024B0000-0x000000000353E000-memory.dmp upx behavioral1/memory/2548-10-0x00000000024B0000-0x000000000353E000-memory.dmp upx behavioral1/memory/2548-15-0x00000000024B0000-0x000000000353E000-memory.dmp upx behavioral1/memory/2548-16-0x00000000024B0000-0x000000000353E000-memory.dmp upx behavioral1/memory/2548-14-0x00000000024B0000-0x000000000353E000-memory.dmp upx behavioral1/memory/2548-60-0x00000000024B0000-0x000000000353E000-memory.dmp upx behavioral1/memory/2548-61-0x00000000024B0000-0x000000000353E000-memory.dmp upx behavioral1/memory/2548-83-0x00000000024B0000-0x000000000353E000-memory.dmp upx behavioral1/memory/2548-86-0x00000000024B0000-0x000000000353E000-memory.dmp upx behavioral1/memory/2548-87-0x00000000024B0000-0x000000000353E000-memory.dmp upx behavioral1/memory/2548-89-0x00000000024B0000-0x000000000353E000-memory.dmp upx behavioral1/memory/2548-90-0x00000000024B0000-0x000000000353E000-memory.dmp upx behavioral1/memory/2548-91-0x00000000024B0000-0x000000000353E000-memory.dmp upx behavioral1/memory/2548-92-0x00000000024B0000-0x000000000353E000-memory.dmp upx behavioral1/memory/2548-95-0x00000000024B0000-0x000000000353E000-memory.dmp upx behavioral1/memory/2548-99-0x00000000024B0000-0x000000000353E000-memory.dmp upx behavioral1/memory/2548-113-0x00000000024B0000-0x000000000353E000-memory.dmp upx behavioral1/memory/2548-116-0x00000000024B0000-0x000000000353E000-memory.dmp upx behavioral1/memory/2548-144-0x00000000024B0000-0x000000000353E000-memory.dmp upx -
Processes:
0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe -
Processes:
0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 8 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exedescription ioc process File opened (read-only) \??\M: 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe File opened (read-only) \??\E: 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe File opened (read-only) \??\G: 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe File opened (read-only) \??\H: 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe File opened (read-only) \??\I: 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe File opened (read-only) \??\J: 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe File opened (read-only) \??\K: 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe File opened (read-only) \??\L: 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe -
Drops file in Windows directory 3 IoCs
Processes:
0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exeupdate.exedescription ioc process File opened for modification C:\Windows\SYSTEM.INI 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe File opened for modification C:\Windows\setupapi.log update.exe File opened for modification \??\c:\windows\KB901105.log update.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exepid process 2548 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe 2548 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
Processes:
0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exeupdate.exedescription pid process Token: SeDebugPrivilege 2548 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Token: SeDebugPrivilege 2548 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Token: SeDebugPrivilege 2548 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Token: SeDebugPrivilege 2548 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Token: SeDebugPrivilege 2548 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Token: SeDebugPrivilege 2548 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Token: SeDebugPrivilege 2548 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Token: SeDebugPrivilege 2548 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Token: SeDebugPrivilege 2548 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Token: SeDebugPrivilege 2548 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Token: SeDebugPrivilege 2548 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Token: SeDebugPrivilege 2548 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Token: SeDebugPrivilege 2548 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Token: SeDebugPrivilege 2548 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Token: SeDebugPrivilege 2548 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Token: SeDebugPrivilege 2548 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Token: SeDebugPrivilege 2548 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Token: SeDebugPrivilege 2548 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Token: SeDebugPrivilege 2548 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Token: SeDebugPrivilege 2548 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Token: SeRestorePrivilege 2968 update.exe Token: SeRestorePrivilege 2968 update.exe Token: SeRestorePrivilege 2968 update.exe Token: SeRestorePrivilege 2968 update.exe Token: SeRestorePrivilege 2968 update.exe Token: SeRestorePrivilege 2968 update.exe Token: SeRestorePrivilege 2968 update.exe Token: SeDebugPrivilege 2548 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exedescription pid process target process PID 2548 wrote to memory of 1116 2548 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe taskhost.exe PID 2548 wrote to memory of 1176 2548 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Dwm.exe PID 2548 wrote to memory of 1204 2548 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Explorer.EXE PID 2548 wrote to memory of 1052 2548 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe DllHost.exe PID 2548 wrote to memory of 2968 2548 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe update.exe PID 2548 wrote to memory of 2968 2548 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe update.exe PID 2548 wrote to memory of 2968 2548 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe update.exe PID 2548 wrote to memory of 2968 2548 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe update.exe PID 2548 wrote to memory of 2968 2548 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe update.exe PID 2548 wrote to memory of 2968 2548 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe update.exe PID 2548 wrote to memory of 2968 2548 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe update.exe PID 2548 wrote to memory of 1116 2548 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe taskhost.exe PID 2548 wrote to memory of 1176 2548 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Dwm.exe PID 2548 wrote to memory of 1204 2548 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Explorer.EXE PID 2548 wrote to memory of 2968 2548 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe update.exe PID 2548 wrote to memory of 2968 2548 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe update.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1116
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1176
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1204
-
C:\Users\Admin\AppData\Local\Temp\0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2548 -
\??\c:\c4f25b853f77935d3b993694ae\update\update.exec:\c4f25b853f77935d3b993694ae\update\update.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2968
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1052
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
550KB
MD536be4921687bcafbbbe2ce6a7ed2a551
SHA18d7070a009fcde7c9961feb891c1116c5fc53fe0
SHA2566cb3dcd372892dca08a21491ee4d583d047144687c6ab80126119c4a0e921602
SHA5124db556d0e81c819054474e0dca0a1f415ccedeedea154ca52f887d62fdb6defc8977e211ca992cd92374fc32eb02b3f0aa3c377eecfc7d22770d260290809061
-
Filesize
30KB
MD5b9b02d97007953e74caaa38497e7278a
SHA13954391efec4615a597594b02ad755f539d2fa42
SHA256e4ecf14cf98b855642505802a04be2035db6e13600112c01632e2e600c8184cc
SHA51278f39f6c6167ba61f52501912b3c5fa6d8c0d594be9f9a5b888b2cb4e19c1d499328fe28a90cc1457e15b14f78ce5a3591b8ed1468afb8d5e944df07a7ae2c6e
-
Filesize
705KB
MD52082618918f003a5d8b84a7025265e13
SHA1a847ff56cf2de5f25bee270cba2e319b92f6ad09
SHA2569a6cf1f1acc4d539fde4b517f37f75df1b19d637309f3ee215944e1f9fccc552
SHA5123f8f2e73e7242d2edb871efe53af612497dbc7d7b3cab368880788e7675f390ea72699d2bf928e7bac88f6425b6503ff6c73720e7260ddc55ae49b642c5d5f60
-
Filesize
371KB
MD547222e529e7547d547d03938a1710ac8
SHA117cfa7b82d389c90c63e6541d9de1863777681d9
SHA256c56c7c105b9eff9a7e11db29483dc667f7e6a40eb1446a1e74604ae8cb978d61
SHA51261b58ac697702fdb270034c5ee92214d2bde7b23a829d7b975404bafa68a0c9b3959e32ccad2b5c2f04030eed73e5902921edfe9716939fda2ac5eccc10a83a9